Buffalo (Shuiniu.exe) manual killing methods do not kill tools _ virus

This is a mobile storage can spread through the malicious virus, anti-virus software and download Trojan, and the virus used to inject virus code to Svchost.exe to protect itself, so that its discovery and deletion more difficult, because its main file name "ShuiNiu.exe", so called the virus "buffalo" Virus.


Quote:
File:ShuiNiu.exe
size:22069 bytes
Modified:2007 year November 5, 10:13:38
md5:1fa97a5e1766d6e668321838a6f3e536
Sha1:94388083fb1cdd3003fe13046bc817ab0f6d7fd0
Crc32:1d66bfab


Technical details:

1. After the virus runs, release the following copy:
%systemroot%\system32\shuiniu.exe

and write ShuiNiu.exe and autorun.inf to Removable Storage to achieve the purpose of transmission via U disk and other mobile storage

2. Call cmd, change the system time to 2005-10-31

3. Delete the following key
System\currentcontrolset\control\safeboot\minimalsystem\controlset001\control\safeboot\networksystem\ Controlset001\control\safeboot\minimal\


Break Safe Mode

4. Add image hijacking project hijack some security software to

%systemroot%\system32\shuiniu.exe


Code:
360rpt.exe
360Safe.exe
360tray.exe
Adam.exe
AgentSvr.exe
AppSvc32.exe
Autoruns.exe
Avgrssvc.exe
AvMonitor.exe
Avp.com
Avp.exe
CCenter.exe
CcSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
IceSword.exe
Iparmo.exe
Iparmor.exe
IsPwdSvc.exe
Kabaload.exe
Kascrscn.scr
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32.exeKPFW32X.exe
KPFWSvc.exe
KRegEx.exe
Krepair.com
KsLoader.exe
Kvcenter.kxp
KvDetect.exe
KvfwMcl.exe
Kvmonxp.kxp
Kvmonxp_1.kxp
Kvol.exe
Kvolself.exe
Kvreport.kxp
Kvscan.kxp
KVSrvXP.exe
Kvstub.kxp
Kvupload.exe
Kvwsc.exe
Kvxp.kxp
Kvxp_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
Loaddll.exe
MagicSet.exe
Mcconsol.exe
Mmqczj.exe
Mmsk.exe
NAVSetup.exe
Nod32krn.exe
Nod32kui.exe
PFW.exe
PFWLiveUpdate.exe
QHSET.exe
Ras.exe
Rav.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
RegClean.exe
Rfwcfg.exe
RfwMain.exe
RfwProxy.exe
Rfwsrv.exe
RsAgent.exe
Rsaupd.exe
Runiep.exe
Safelive.exe
Scan32.exe
Shcfg32.exe
SmartUp.exe
SREng.exe
Symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
Trojdie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
WoptiClean.exe


5. In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Add below

<DsNiu><%systemroot%\system32\ShuiNiu.exe> []

Startup of the project to achieve the purpose of start-up

6. Start IE download
Http://www.huigui.org/UpFile/UpFace/bak.exe

But the connection is invalidated.

7. Release ~dsniu! after virus operation. BAT deletes itself

8. After the action is also more sinister point of the virus, when the completion of these actions, the virus will start two svchost.exe, and its own virus code written into the two Svchost.exe process, after the ShuiNiu.exe exit process.
These two svchost.exe will monitor each other, and the ShuiNiu.exe can not be deleted at this time ...

9. The virus body has the text "Fuck You"


Manual Workaround:


Download Sreng and Xdelbox


1. Extract all files in Xdelbox compressed package into a folder, in the box next to add C:\windows\system32\ShuiNiu.exe


After you enter the next click on the Add button to be added to the file will appear in the big box below, and then select (Hold down ctrl) all the files in the big box below, right-click Click Reboot to delete immediately


2. After reboot, open Sreng

Start the Project registry delete the following items
<DsNiu><%systemroot%\system32\ShuiNiu.exe> []

and remove all red Ifeo hijacking items

Or in Sreng, system repair-advanced repair-fix security mode

3. Finally change the system time correctly